Sequelize — CVE history (npm)

Sequelize

14 CVEs affect the Sequelize npm package (highest CVSS 10.0). Latest disclosed: 2026-03-10. Full CVE history sourced from NVD.

Summary

Package
Sequelize (npm)
Total CVEs
14
Actively exploited (CISA KEV)
0
Highest CVSS
10.0
Latest disclosed
2026-03-10

Recent CVEs (top 14)

CVESeverityCVSSKEVPublishedSummary
CVE-2026-30951High7.52026-03-10Sequelize is a Node.js ORM tool.
CVE-2023-25813Critical10.02023-02-22Sequelize is a Node.js ORM tool.
CVE-2023-22580Medium5.32023-02-16Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure.
CVE-2023-22579Critical9.92023-02-16Due to improper parameter filtering in the sequalize js library, can a attacker peform injection.
CVE-2023-22578Critical10.02023-02-16Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections.
CVE-2019-10749Critical9.82019-10-29sequelize before version 3.35.1 allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the Postgres dialect.
CVE-2019-10748Critical9.82019-10-29Sequelize all versions prior to 3.35.1, 4.44.3, and 5.8.11 are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects.
CVE-2019-10752Critical9.82019-10-17Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.
CVE-2019-11069High7.52019-04-10Sequelize version 5 before 5.3.0 does not properly ensure that standard conforming strings are used.
CVE-2016-10554Critical9.82018-05-31sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS.
CVE-2016-10553Critical9.82018-05-31sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS.
CVE-2016-10550Critical9.82018-05-31sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS If user input goes into the `limit` or `order` parameters, a malicious u…
CVE-2016-10556High7.52018-05-29sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS In Postgres, SQLite, and Microsoft SQL Server there is an issue where ar…
CVE-2015-13692015-01-27SQL injection vulnerability in Sequelize before 2.0.0-rc7 for Node.js allows remote attackers to execute arbitrary SQL commands via the order parameter.

All-time worst (top 10 by CVSS)

CVESeverityCVSSKEVPublishedSummary
CVE-2023-25813Critical10.02023-02-22Sequelize is a Node.js ORM tool.
CVE-2023-22578Critical10.02023-02-16Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections.
CVE-2023-22579Critical9.92023-02-16Due to improper parameter filtering in the sequalize js library, can a attacker peform injection.
CVE-2019-10749Critical9.82019-10-29sequelize before version 3.35.1 allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the Postgres dialect.
CVE-2019-10748Critical9.82019-10-29Sequelize all versions prior to 3.35.1, 4.44.3, and 5.8.11 are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects.
CVE-2019-10752Critical9.82019-10-17Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.
CVE-2016-10554Critical9.82018-05-31sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS.
CVE-2016-10553Critical9.82018-05-31sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS.
CVE-2016-10550Critical9.82018-05-31sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS If user input goes into the `limit` or `order` parameters, a malicious u…
CVE-2026-30951High7.52026-03-10Sequelize is a Node.js ORM tool.